Allow an application only for Teams via Cloudflare Access without Web Authentication (By Using Warp Client and CF Teams)

My application is hosted on
This is an API which is used for a desktop application on a user’s computer.

Using Cloudflare access, I could have protected if this is a web app.
But I want to allow the members from Cloudflare Teams only to access this application. They should be able to access this service if they are connected to Cloudflare Teams VPN, everyone else should not have access to this service.

Since Cloudflare is handling my DNS and Teams VPN service, I believe this is possible but cannot figure out how!

How do achieve this?

There is no “Gateway” option in my drop-down.
How to get this option in my drop-down?

I have following options in my dropdown:
Country, Email, Emails ending in, IP Ranges, Everyone, Common name, Valid Certificate, Service token, Any Access Service Token & Login Methods

Sorry, missed one part. You need to add a device posture attribute here first:

1 Like

There is still no difference after adding Gateway (and WARP as well as there was no difference for me after just adding Gateway)

Expected outcome

  1. No Cloudflare login screen should come up when user connected to Cloudflare Teams VPN
  2. Not allowed to access the page without connecting to Cloudflare Teams VPN

Current Outcome:

  1. It’s still asking for Web Login when I am connected to Teams VPN.
    Since the desktop application uses direct calls to the server, this Web Login is causing issue over here.

This is my current rule definition

Not yet available

I guess I should update my answer… it is actually available now. It does however require that Proxy is enabled in Settings | Network (first option). That being said… @w3dev I’d remove Warp from the policy above and just have Gateway … the former being anyone with the Warp Client, the latter being Anyone running the Warp client signed into your team.


Is it? I have Proxy enabled (and TLS Decryption). I have Device Posture Gateway in the list and have added Gateway to a rule - tried both as Group and as Additional Rule.

In both cases I still received the login page for my Cloudflare Access.

Great! Was really waiting for this one a long time! I suppose we need to add this as a “Bypass”-rule?

It is working - added a Service Auth rule. Connected via WARP and no login page required. Disconnected from WARP and login page shown again.


1 Like

Thanks, it works after setting the rule mode to “Service Auth”
However, it seems like we cannot filter by Email in case of Service Auth

@cs-cf Since we setup Cloudflare teams by our Cloudflare Teams email address, is there any way that we can add an Email filter while using Service Auth?

Not today, perhaps in the future.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.